Ashley Madison and Coming to “Terms” with Data Protection

A recent massive data hack of an online dating site, Ashley Madison, once again proves that what one publishes, says, or does online, even in seemingly private forums, is never completely private. It’s also a reminder that the legal recourse available in less traditional data breaches can be severely curtailed by what can be a formidable obstacle: a company’s Terms of Service.

When hackers recently targeted Ashley Madison, the online dating site for people on the prowl for extra-marital affairs that boasts 37 million members, they did so under a guise of righteous anger. Calling the users “cheating dirtbags,” the hackers threatened to expose site users’ names, addresses, credit card details, and salacious details from their online profiles unless the operators disbanded the site. As proof, the hacktivists published at least two members’ names and profiles. After threats of litigation from embarrassed users, Ashley Madison made an exception to its usual policy of forcing users to pay to delete their profiles from the website and allowed members to delete their accounts (including profiles, nude pictures and racy messages sent to other users) free of charge.

Obviously, the breach of a site designed to facilitate discreet cheating (and thus dedicated to keeping its users’ profiles confidential), represents a painful reminder for users that all information disclosed online is vulnerable. For the more traditional privacy credit card information breach, American users have recourse through state and federal laws. But due to Ashley Madison’s Terms of Service, aggrieved users may have limited recourse. Part of the issue is that the data taken relates to private information about the user’s extramarital affairs and interactions on the platform. In this scenario, it may be more likely that the Terms of Service could be used to shield Ashley Madison from liability for the data protection breach. For example, some of the terms provide:

“You acknowledge that although we strive to maintain the necessary safeguards to protect your personal data, we cannot ensure the security or privacy of information you provide through the Internet and your email messages. Our privacy policy is incorporated into the Terms by this reference. You agree to release us, our parent, subsidiaries and affiliated entities and ours and their shareholders, officers, directors, employees and agents, successors and assigns from all claims, demands, damages, losses, liabilities of every kind, known and unknown, direct and contingent, disclosed and undisclosed, arising out of or in any way related to the release or use of such information by third parties.”

“WE DO NOT WARRANT THAT … (E) ANY INFORMATION YOU PROVIDE OR WE COLLECT WILL NOT BE DISCLOSED TO THIRD PARTIES;… (H) THIRD PARTIES WILL NOT USE OF YOUR CONFIDENTIAL INFORMATION IN AN UNAUTHORIZED MANNER;”

“Limits on liability: YOU AGREE THAT WE WILL NOT BE LIABLE FOR ANY DAMAGES WHATSOEVER, INCLUDING DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, SPECIAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES (EVEN IF WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES), ARISING FROM, RELATING TO OR CONNECTED WITH: (C) DISCLOSURE OF, UNAUTHORIZED ACCESS TO OR ALTERATION OF YOUR CONTENT; …OR (F) ANY OTHER MATTER ARISING FROM, RELATING TO OR CONNECTED WITH OUR SERVICE OR THESE TERMS.”

Of course, whether these terms alone (all caps or no) could provide the basis for a successful Rule 12(b)(6) motion to dismiss any consumer complaint for the data breach depends on whether these disclosures were sufficiently clear to put the members on notice or whether the general permission in Ashley Madison’s terms of use constitute the member’s clear consent to these terms.

That said, there have been at least two cases relating to a social media platform’s terms of service that have found otherwise:

In Fraley v. Facebook, a Rule 12(b)(6) motion to dismiss on the grounds that consumers provided consent to specific use of the consumer’s data (i.e., names, images, and likenesses) was denied because the court found that whether Facebook’s Statement of Rights and Responsibilities, Privacy Policy, or Help Center pages unambiguously give Facebook the right to use that data remained a disputed fact. Case N 11-CV-01726 (Dec. 16, 2011). (The parties ultimately settled.)

In In re: Google Inc. Gmail Litigation, Google tried to get rid of a privacy class action accusing it of violating the Wiretap Act by using consumers’ data (i.e., scanning Gmail users’ email to target advertisements). However, the court declined the motion to dismiss in part because it held that Google’s disclosures were not sufficiently clear to put its users on notice of its practices such that the users could be deemed to have consented to those practices. 5:13-md-02430 (N.D. Cal. Sept. 26, 2013). Less than a year later, the court denied the class certification finding, inter alia, that the issue of consent would require highly individualized inquiries.

Let’s face it: the Ashley Madison hack probably has nothing new to teach us about the most basic aspect of online security. By now, anyone familiar with the Internet should realize that no online information is truly secure. But there are still plenty of lessons to take from the breach on the value of a carefully drafted Terms of Service agreement, whether one is agreeing to abide by one, or employing it to protect company interests.